This tweet highlights that while Web Application Firewalls (WAFs) provide an important layer of security, relying solely on them is not sufficient to protect applications entirely. WAFs can help block many types of attacks such as XSS, SQL Injection, RCE, etc., but they can also create security blind spots if other security testing methods are not used in combination. The tweet encourages security teams to adopt full-scope security testing practices, which means comprehensive testing that includes but is not limited to WAF protection. This expanded approach helps identify vulnerabilities that a WAF alone might miss, thus reducing overall risk and improving the security posture of the application or system.
Original tweet: https://twitter.com/daveandcori/status/1955721884928237988